在 Zend Framework 2 中进行数据库查询时,我应该如何清理用户提交的值?比如下面SQL中的$id
$this->tableGateway->adapter->query(
"UPDATE comments SET spam_votes = spam_votes + 1 WHERE comment_id = '$id'",
\Zend\Db\Adapter\Adapter::QUERY_MODE_EXECUTE
);
最佳答案
执行的时候可以传参数..
$statement = $this->getAdapter()->query("Select * from test WHERE id = ?");
$result = $statement->execute(array(99));
$resultSet = new ResultSet;
$resultSet->initialize($result);
您也可以将它们直接传递给查询方法
$statement = $this->getAdapter()->query(
"Select * from test WHERE id = ?",
array(99)
);
$result = $statement->execute();
$resultSet = new ResultSet;
$resultSet->initialize($result);
两者都会产生查询“Select * from test WHERE id = '99'”
如果你想使用命名参数:
$statement = $this->getAdapter()->query("Select * from test WHERE id = :id");
$result = $statement->execute(array(
':id' => 99
));
$resultSet = new ResultSet;
$resultSet->initialize($result);
如果你想引用你的表/字段名称等:
$tablename = $adapter->platform->quoteIdentifier('tablename');
$statement = $this->getAdapter()->query("Select * from {$tablename} WHERE id = :id");
$result = $statement->execute(array(
':id' => 99
));
关于mysql - ZF2 清理数据库查询的变量,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15274354/